VSEC Blog: IT Security Channel News brought to you by Infinigate UK

The Truth About Cloud Hosted Services and the GDPR

Posted: 24 October 2018

Despite it being punished under the Data Protection Act 1998, the penalty handed out to Equifax recently in reaction to their catastrophic handling of a widely reported data breach in 2017, has pushed the issue of data protection and the GDPR right back under the spotlight.

One area which is often overlooked, particularly for small and medium sized organisations, is the cloud.

Whether it be cloud-hosted email services, managed security services, data storage or backup software, if it's used to process personal data, then it's in scope.

Data Controller & Processor

The first course of action when shoring up your GDPR adherence in the cloud, is to define the relationship with the service or provider in question.

The GDPR sees two distinctive roles; the data controller and the data processor. To simply things, a controller determines how personal data is to be processed, whereas the processor simply executes the instructions given to it by the controller.

A good example of this would be a cloud-based email provider. It will send and process emails which contain personal data at the will of an instruction by its owner; you. Thus making you the controller and it the processor.

GDPR Contracts & Agreements

When striking up a controller and processor arrangement with a third-party or a cloud service provider there a number of things to define to keep everything above board:

Document the processing instructions for your processor: It is likely that some of the cloud service providers may already provide this in their contracts, however you will want to verify this. Legally, a data processor should only be able to carry out instructed processing activities.

Understand where personal data will be residing and being processed: Cloud services have the capability to be spread wide amongst multiple geographical regions for both cost and availability purposes. You will need to ensure that processing takes place in a country which is either covered by the EU regulation; or has adequacy laws.

Define how you will execute data subject rights: Where a data subject has a legal right to view their personal data or prevent you from further processing, you as the data controller and the processor require a process which allows you to comply.

Note that this list is not exhaustive.

Incident Response & Data Breaches

One of the more interesting aspects of the GDPR is its peer enforcement. Under the regulation, the responsibility for a data breach and its fallout cannot simply be laid at the feet of the controller or the processor.

Both are seen as equally responsible for not vetting the other.

A data breach is a much wider term than most people appreciate, with some equating it to a network breach. However, a data breach includes: unauthorised access, processing, storage, manipulation and deletion. This means you simply giving a member of staff too much privilege which results in them being able to see personal data they shouldn't be allowed to, thus constituting a breach. Albeit one lacking in seriousness.

The regulation casts obligations on controllers and processors regarding their response to data breaches, which will require a high level of cooperation between the two when a data breach is likely to be fairly common.

You will need to ensure that your cloud service provider has a means and route to communicate with you about detected breaches. You will need to log these incidents and investigate them where necessary, sometimes reporting them to the supervisory authority.

The supervisory authority will not act as a mediator between you and your controller/processor but will regard you as equally culpable. Therefore it is important that breach reporting and measures taken to reduce breaches are all clear from the outset.

A Careful & Measured Approach

In reality, cloud services under the GDPR are no scarier than any other processing activity. So long as you have prepared and agreed certain actions and responses with your processor, it is not necessarily any more of a risk.

Like any risk-driven standard, certification or regulation, the GDPR is looking for careful and measured approaches to handling personal data.

Subscribe to VSEC Blog Updates

Terms and Conditions:

When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:

We will use your details to send you blog updates.

We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.

We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.

In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.

Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.